Limiting a user to a specific realm
Hi Folks, I know there's an easy way to do this, but I've googled a bit this morning and can't quite figure it out. We are running Freeradius with a users file (no database). I have several realms defined, each with a fallthrough like so: DEFAULT Realm == realm1.com Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Fall-Through = 1 DEFAULT Realm == realm2.com Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Fall-Through = 1 DEFAULT Realm == realm3.com Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500, Fall-Through = 1 I also have these 3 realms defined in the realms file. The way things are setup now, username bob could log in as bob@realm1.com or bob@realm2.com or bob@realm3.com and as long as bob supplied the correct password he would be granted access and that's been fine up until now. What I'ld like to do is to fix it so that only certain usernames could log on as username@realm3.com (leave realm1.com and realm2.com as they are). So anyone with a correct username/password could log in using realm1.com or realm2.com but only bob, jane and alex could log in with realm3.com. I suppose I could add an entry in my users file as so: bob Realm=realm3.com, Auth-Type = Local, Password == xxxxx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500 Would that work? How would I define realm3.com earlier in my users file? Would this work or is there a better way? Thanks, Lisa Casey
What I'ld like to do is to fix it so that only certain usernames could log on as username@realm3.com (leave realm1.com and realm2.com as they are). So anyone with a correct username/password could log in using realm1.com or realm2.com but only bob, jane and alex could log in with realm3.com.
I suppose I could add an entry in my users file as so:
bob Realm=realm3.com, Auth-Type = Local, Password == xxxxx Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Framed-Routing = None, Framed-Compression = None, Framed-MTU = 1500
This will also limit bob to realm3, so he would not be able to log in as realm1 or 2. Create a huntgroup for realm3 (leave users entry for it as it is) and list usernames that can log into it there. Unlisted users will not be able to log in. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Ivan Kalik -
Lisa Casey